Links

Check Point VPN

This document will describe the required steps to integrate a Check Point VPN with the Keyless Radius Server.
Check Point Secure Remote Access is a VPN solution from Check Point that can be integrated with Keyless to provide a secure login experience. In this guide, will show how this can be accomplished using the Keyless RADIUS Appliance.

Assumptions

  • At least one account has been configured with the Keyless Authenticator so that it could be used to test authentication on the Keyless Radius server.
  • Check Point Server is already up and running - its initial setup is out-of-scope of this guide.
  • Check Point Mobile Access role has been configured and a VPN connection with a stand username and password is up and running.
  • An Internal network (i.e. CP_Default_Office ) where VPN clients will direct has been created.
  • This document is based on the below network configuration (i.e. network setup, routes, etc). Steps may vary according to your network configuration and architecture.
This walkthrough will use Check Point stand alone version R80.40 where both the management and gateway server roles are installed. Steps may vary between Check Point server and client versions.

Adding the RADIUS Server in the Check Point Gateway server

Open Check Point SmartConsole, select the Gateway that will use the Keyless RADIUS server and click on "Edit".
Select Gateway and click "Edit".
1. In the SmartConsole, create a RADIUS Host object by selecting "New" > "Host".
Add a new Host.
2. Name the Host object with a meaningful name (i.e. Keyless RADIUS Connector ) and assign its Public IP address.
Assign public IP address.
3. Create a RADIUS Server object by selecting "New" > "More" > "Server" > "More" > "RADIUS".
Create a new RADIUS server.
Configure the following values:
  • Name the RADIUS Server object (i.e. Keyless RADIUS).
  • Associate the RADIUS Server object with the RADIUS Host object created in the previous step (i.e. Keyless RADIUS Connector).
  • Select "NEW-RADIUS" on port 1812
The Keyless RADIUS Connector listens on port 1812
  1. 1.
    Assign the same Shared Secret that you configured on the Keyless RADIUS Connector deployment (see here).
  2. 2.
    Select RADIUS Ver. 2.0
  3. 3.
    Select PAP as Protocol
  4. 4.
    Select 1 as Priority (it is assumed that this is the only RADIUS Server)
Click "'OK".
Configure new RADIUS object.
No, go to "VPN Clients" > "Office Mode" and configure the following values:
  • Select "Allow Office Mode" to all users.
  • Office Mode Method
    • Select "From ipassignment conf located in $FWDIR/conf - always tried first"
    • Using one of the following methods
      • Select "Manual (using IP pool)"
      • Select an internal network that has been previously configured
Click on the "OK" button.
VPN client Office Mode configuration.
Now go to "Mobile Access" > "Authentication" in the Check Point SmartConsole.
Click on the "Settings" button and configure as follows:
  • Check "Allow newer clients that supports Multiple Login Options to use this authentication method".
  • Display Name: RADIUS
  • Authentication method: RADIUS
  • Server: Select the RADIUS Server previously created (i.e. Keyless RADIUS)
Click on the "OK" button.
Single Authentication Client Setttings.
Now go to "Mobile Access" > "Office Mode" and configure the following values:
  • Select "Allow Office Mode" to all users
  • Office Mode Method
    • Select "From ipassignment conf located in $FWDIR/conf - always tried first"
    • Using one of the following methods
      • Select "Manual (using IP pool)"
      • Select an internal network that has been previously configured
Click on the "OK" button.

Create a new “External User Profile” that will be applied to all users

  1. 1.
    In the SmartConsole, go to the "Manage & Settings" tab.
    • Click "Blades".
    • Click "Mobile Access" > "Configure in SmartDashboard"
  1. 1.
    From the Network object tree, click the Users icon.
Right-click "External User Profiles and select "New External User Profile" > 'Match all users...".
Configure this profile as follows:

General Properties

  • External Username Profile: generic* (should be the default option)
Configure External User Profile.

Authentication

  • Authentication Scheme: RADIUS
  • Select a RADIUS Server or a Group Of Servers: Select the RADIUS Server object previously created (i.e. Keyless RADIUS)
Click "OK" and close the SmartDashboard.
Install the policy in the SmartConsole portal.

Configure the Check Point VPN Client

The Check Point VPN client can be downloaded from this website.
Start the installation wizard and select the "Endpoint Security VPN" option when asked:
Select Endpoint Security VPN.
On the bottom right corner of Windows taskbar, click on the Check Point VPN Client icon and the click on "Connect to..."
Select "Yes" if your are prompted with the following message.
Click "Next".
  • Server address or Name: Provide the Check Point Server Public IP (i.e. 88.99.77.89)
  • Display Name: CheckPoint VPN Name (i.e. Keyless VPN )
Click "Next"
Once the VPN client has discovered Check Point VPN Server, select RADIUS (default) as the login option and click "Next".
Select "Username and Password" and "Next".
Click on the "Finish" button.

Test the Keyless Authentication

On the bottom right corner of Windows taskbar, click on the Check Point VPN Client icon and the click on "Connect to..."
Connect to the VPN using Keyless.
  • Username: provide the username that you’ve used during the enrollment process with Keyless Authenticator
  • Password: provide a random fake password (the Check Point client requires a non-empty password)
Click "Connect"
You’ll receive a notification on Keyless Authenticator. Once you’ve been authenticated, VPN Client will be connected.
Last modified 1yr ago